It is the established policy of Deploy Recruitment group (The Group consists of Deploy (UK) Ltd and Deploy (UK) Rail Ltd) to operate within the requirements of a documented Information Security Policy statement as a means to comply with all statutory, regulatory and contractual requirements, and, to protect the interests, property and information of the company, and of its clients and employees, against threats or loss. And applies to the processing of personal data in manual and electronic records kept by the Company as described below. It also covers the Company's response to any data breach and other rights under the General Data Protection Regulation (GDPR) and current Data Protection Act.

Information Security

In pursuance of this policy its stated requirements have been implemented together with the specified requirements of the company's associated information security and computer system access management work instructions.

The purpose of this Information Security Policy statement is to describe how security is implemented, to give guidance to our employees whose actions can affect the confidentiality and integrity of the business, its product and services, and, to illustrate the overall commitment to security issues within our company.

This Policy statement, which is not intended as a stand-alone document, is supported by detailed process operating procedures and to form a set of working documents, which define our company's security activities.

The Policy is maintained by audit and review, in order to provide effective assurance that all aspects of company, employee and customer specified security requirements are being implemented.

It is company policy to ensure that the use of documents, computers, mobile computing, mobile communications, mail, voice mail, voice communications in general, multimedia and postal services must be controlled to prevent unauthorized use and to reduce security risks.

All employees have a responsibility not to compromise the company, e.g. by sending defamatory or harassing electronic mail, or by making unauthorized purchases, and, must also be aware that the confidentiality and integrity of information transmitted by E-mail may not be guaranteed.

Access by employees to the Internet is restricted to business use only and any breach of this policy will result in disciplinary action being taken.

The Manager is responsible for managing information security, and he will also ensure that all employees are trained to understand, implement and maintain the security objectives set out in this Security Policy and as detailed in the company's security related Work Instructions.

Personnel File & Data Protection

The Company makes a commitment to ensuring that all personal data is processed in line with GDPR and domestic laws and all employees conduct themselves in line with this. Where third parties process data on behalf of the Company, the Company will ensure that the third party takes such measures in order to maintain the Company's commitment to protecting data.

Types of Data Held

Personal data is kept in your personnel file. The following types of data may be held by the Company, as appropriate, on relevant individuals:

• Name, address, phone numbers - for individual and next of kin
• CVs and other information gathered during recruitment
• References from former employers
• National Insurance numbers
• Job title, job descriptions and pay grades
• Conduct issues such as letters of concern, disciplinary proceedings
• Holiday records
• Internal performance information
• Medical or health information
• Sickness absence records
• Tax codes
• Terms and conditions of employment
• Training details.

Sensitive Data

Some special categories of personal data, such as information about physical or mental health or disability, is processed to ensure your health and safety in the workplace and to assess your fitness to work, to provide workplace adjustments, to monitor and manage sickness absence and to administer benefits.

Where the company processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. This is to carry out its obligations and exercise specific rights in relation to employment.

Very occasionally, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests, or someone else's and you are not capable of giving your consent or you have already made the information public.

Data Protection Principles

All personal data obtained and held by the Company will:

• be processed fairly, lawfully and in a transparent manner
• be collected for specific, explicit, and legitimate purposes
• be adequate, relevant and limited to what is necessary for the purposes of processing
• be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay
• not be kept for longer than is necessary for its given purpose
• be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
• comply with the relevant data protection procedures for international transferring of personal data.

In addition, personal data will be processed in recognition of an individuals' data protection rights, as follows:

• the right to be informed
• the right of access
• the right for any inaccuracies to be corrected (rectification)
• the right to have information deleted (erasure)
• the right to restrict the processing of the data
• the right to portability
• the right to object to the inclusion of any information
• the right to regulate any automated decision-making and profiling of personal data.

Procedures

The Company has taken the following steps to protect the personal data of relevant individuals, which it holds or to which it has access:

• it provides information to its employees on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think that their data has been compromised in any way
• it provides its employees with information and training to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially
• it can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with
• it carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security
• it recognises the importance of seeking individuals' consent for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so, including the audit trails that are needed and are followed for all consent decisions. The Company understands that consent must be freely given, specific, informed and
• unambiguous. The Company will seek consent on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent at any time
• it has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Information Commissioner, and is aware of the possible consequences
  

Access to data

Relevant individuals are entitled to request data held about them on the system or in relevant files. The Company will endeavour to provide this data within a reasonable time. There is no charge for requesting this data.

Employees are only entitled to access data about themselves and will not be provided with data relating to other employees or third parties. It may be possible to block out data relating to a third party or conceal his or her identity, and if this is possible the Company may do so.

Data that is classified as the opinion of another person will be provided unless it was given on the understanding that it will be treated confidentially. Employees who express opinions about other employees in the course of their employment should bear in mind that their opinion may be disclosed in an access request, e.g. performance appraisals.

An employee who is dissatisfied with the outcome of an access request has the option of using the Company's grievance procedure.

Data Disclosures

The Company may be required to disclose certain data/information to any person. The circumstances leading to such

Disclosures include:

• any employee benefits operated by third parties
• disabled individuals - whether any reasonable adjustments are required to assist them at work
• individuals' health data - to comply with health and safety or occupational health obligations towards the employee
• for Statutory Sick Pay purposes
• HR management and administration - to consider how an individual's health affects their ability to do their job
• the smooth operation of any employee insurance policies or pension plans.

These kinds of disclosures will only be made when strictly necessary for the purpose.

Data Security

The Company adopts procedures designed to maintain the security of data when it is stored and transported.

In addition, employees must:

• ensure that all information of a confidential nature is stored in a secure manner and only accessed by people who have a need and a right to access it
• ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people
• refrain from sending emails containing sensitive work-related information to their personal email address
• check regularly on the accuracy of data being entered into computers
• always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them
• use computer screen blanking to ensure that personal data is not left on screen when not in use.
• Failure to follow the Company's rules on data security may be dealt with via the Company's disciplinary procedure.
• Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.

International Data Transfers

The Company does not transfer personal data to any recipients outside of the EEA.

New Paragraph

We wholly committed to this Policy, and hereby state that it is the responsibility of every individual employee of the company to ensure that all security plans, standards, procedures, work instructions and actions fully meet with agreed company and customer requirements.

Paul Smith,

Managing Director

12T" January 2023